The first two articles in this series focused on integrating and installing local Active Directory with Office 365 and setting up federation and single sign-on. Both are great features for any organization looking to realize the benefits of mixing on-premise Active Directory with the cloud-based messaging, collaboration, and other features of Office 365. In today’s article, we’ll complete the trifecta and perform the steps necessary to activate local Active Directory synchronization with Office 365.
Federation and single sign-on allow Office 365 to trust the authentication of users performed by Active Directory, but user accounts must be synchronized between the systems for everything to work. While user information could manually be duplicated in Office 365, that would get very old, very fast. Thankfully, the Microsoft Directory Synchronization Tool offers a better way.
The Microsoft Directory Synchronization Tool replicates certain objects and attributes from the local AD with Windows Azure Active Directory. Windows Azure AD is the cloud back-end that provides identity and access capabilities for Office 365. Objects replicated include user and groups and the attributes synchronized are those typically found in Exchange’s Global Address List such as description, phone number, and the like. Review the Microsoft Support article for a complete list of synchronized attributes.
Note: There are a few things to be aware of before turning on Directory Synchronization. First and foremost, it’s not easy to turn off. In other words, Directory Synchronization should be viewed as permanent. So don’t turn it on just to give things a whirl. Disabling synchronization requires use of a PowerShell cmdlet. You may also effectively turn things off by limiting the scope so that no local AD objects get synchronized. Also keep in mind that once Directory Synchronization is active, all synchronized users can only be managed locally. You can’t modify synchronized objects through the Office 365 Admin Center. This is probably the goal in the first place, but something to be aware of nonetheless.
There are a number of requirements for installing the Directory Synchronization Tool. For instance, the tool cannot be installed on a Domain Controller, nor can it be installed on the computer running Active Directory Federation Services 2.0. Wherever it’s installed, that computer must be joined to the Active Directory domain and it must be capable of running SQL Server 2008 Express, the .Net Framework 3.5, and PowerShell.
Synchronization is scheduled by default to run every three hours. Synchronized objects should show up almost immediately in Office 365, but they may take up to a day to appear in the Offline Address Book or Lync Online.
Let’s get this show on the road by activating Active Directory synchronization within the Office 365 Admin Center.
It’s also possible to complete these steps using the Windows Azure Active Directory Module for Windows PowerShell.
The activation process will begin immediately, but it may take up to 24 hours to show complete in the Office 365 Admin Center.
Don’t attempt to configure the Microsoft Online Services Directory Synchronization Tool until activation completes. Speaking of which, an unusual snag occurred during the course of preparing this article. Twenty four hours came and went, yet the activation process still continued to display “being activated.” This little snafu required a 72-hour unexpected jaunt through Microsoft’s Office 365 support system. The adventure nearly caused me to pull my hair out (if I had any left) and could warrant a dedicated article of its own. In case you encounter this problem, I want to give you some Petri exclusive tips right here, right now.
Moving on! First, download the Microsoft Online Services Directory Synchronization (DirSync) Tool. Then, follow these steps.
Only install and run the DirSync tool on one computer in the local AD domain.
During installation, the DirSync tool creates a service account, MSOL_AD_SYNC, in the Users Organizational Unit of the local AD. This is the account the tool will use to read the local AD. If this account is ever moved, disabled, or removed you can probably guess what will happen: synchronization failures!
As previously mentioned, if the Activate Directory Synchronization process in the Office 365 Admin Center hasn’t fully completed, the wizard will fail right here. This is a common problem that isn’t well documented and can have you reaching for an antacid in short order.
The next step enables support for a hybrid environment. Having a hybrid environment allows supporting a mix of both local Exchange mailboxes and online Office 365 Exchange mailboxes. It also enables archiving local mailboxes into the cloud. It enhances how spam protection and unified messaging interact between the cloud and local systems. All are good features to have, but enabling a hybrid configuration only works if you have Exchange 2010 SP1 locally. If not, sorry Charlie, you’re out of luck.
During the initial synchronization, a copy of all the local AD users and groups is written to the Office 365 Windows Azure AD directory. From then on, the DirSync Tool simply checks for changes and writes those to the cloud as necessary.
Note: Synchronizing users doesn’t automatically grant them an Office 365 license. This is a good thing.
Very soon, all the local AD accounts will appear in the Office 365 Admin Center under the users and group node.
Congratulations! Federation, single sign-on, and directory synchronization are now all features that your organization can enjoy as part of a robust Office 365 implementation.
Stay tuned for future Petri articles covering various facets of Office 365 deployment, administration, and troubleshooting.